Posted on behalf of Yuriko Kako-Batt, Malware Data Analyst

People receive various spam emails everyday from dating scams to those attempting to phish bank account information, loan offers and those featuring porn sites, pharmaceuticals and replica watches. While the categories differ, many of them have similarities. In most cases the spammer’s aim is to make money, often by luring the victim into “online-shopping”

Criminal gangs make their own branded websites, selling counterfeit or illegally obtained products, and they, or some hired spammers, send spam emails with various subjects and different URLs connecting to those websites. Recipients access the websites from the URL in the spam emails, and may choose to buy products there. Pharmaceutical spam, replica watches, pirated DVDs and cheap software spam are applicable, although their products are different.

Usually these fake products are cheaper than the genuine ones (available from legitimate and well-known websites) because most of them are copied, pirated, forged, or counterfeited editions. In the case of pharmaceuticals, they are available without a prescription. Some sites will actually send the victim a product after they pay, but in most cases, the victim may never receive anything upon payment. Gangs know that if they advertise their products in enough spam emails, that people will never stop visiting their websites, and buying their products. This is probably the biggest cash-generator in the shadow economy, and it could be these product sites that drive the development of botnets, and the production of new malware, which in turn allows more spam to be sent.

MessageLabs Intelligence recently found a new “spammy” brand website named “Euro Software”. It appeared at the start of February 2010, and has been advertised in spam steadily ever since. These emails vary in a way we have seen with other gangs: spam emails with different subjects and URLs connected to the Euro Software branded website.

An example of a typical Euro Software spam:

Typical subjects include:

Best selling software 2010
Most popular business software quicken deluxe
Music selling software
Best software
Adobe Flex Builder 3 Pro
Kaspersky Internet Security 2010
Popular website software
Must have software
Popular peer to peer software
Office Professional 2007
CyberLink PowerDVD 9 Ultra
Top ten software
ACDSee Pro 3
Selling software online
Popular backup software
Macromedia Dreamweaver 8 for MAC
Popular mac software

And emails have included URLs such as:

vopientorates.net
sapporovas.net
magomedasteas.net
werikopekas.net
gamerosofaas.net
brenevasas.net
clapedonusas.net
samnetionas.net
creativoseas.net

And the URLs connect to this website:

These websites always pretend that the company behind them is famous and very successful with plenty of customers from all over the world. The websites are designed very well and they display other famous names and logos to add legitimacy and make them look like they are in business with these well-known, global brands. This false representation leads potential customers to believe it is safe to buy something from the websites.

On the website, Euro Software claims that:

“EuroSoftware Inc. and the European Manufacturer's Association have developed a special program of dropping prices for popular software in this period of world economic crisis. All in all, you can buy our software products very cheap!

We offer localized versions of the most popular software for PC and Macintosh. English, German, French, Italian, Spanish and many other languages! You can download and setup software instantly after purchasing. You don't need to go to a store any more or wait weeks for a package with CDs.

You can download any software in 20-30 minutes and don't need to pay hundreds of extra Euros or Dollars! Are you surprised at our offer and cheap prices? Click here and find out more about us. Please note, we are not selling any trial, incomplete or academic versions – all software is original and fully functional.”

These “Euro Software” spam emails are from one of the most famous and notorious botnets: Cutwail. Cutwail is currently responsible for about 5 percent of all spam sent globally. It sends approximately 3 million spam emails every minute, using a network of between 490,000 and 760,000 infected PCs (bots). Cutwail spam relating to “Euro Software” accounts for between 0.4 percent and 0.6 percent of all spam. This doesn’t sound like much but this equates to huge volumes sent to some unfortunate recipients. There are many kinds of spam gangs which are selling software on their own branded websites. But this “Euro Software” brand is new, and the volume of this spam has reached a level that far exceeds any other software-related spam brands. On average, all software-related spam brands account for 0.5-1.0 percent of spam, so Euro Software dominates the market at the moment.

How does the gang make this brand so big in such a short period of time? It’s possible that they had a good knowledge of the “online-shopping” spam business before they started. They may already run a steady stream of spam-related websites, in a similar way that pharmaceutical website gangs run several different brands, as reported in my previous blogs http://www.symantec.com/connect/blogs/pharmacy-spam-pharmaceutical-websites-fall-two-distinct-operations and http://www.symantec.com/connect/blogs/new-pharmacy-spam-brand-spotted. Or they could be a new gang, with a new brand, that may become one of the spam-world’s major forces in the future.

It’s difficult to be certain at the moment. We will continue to track and monitor “Euro Software” spam and any related websites, and we hope to have more information to blog in the near future.